To configure the trust chain correctly, you must ensure that the
properties align with WebSEAL configuration properties. Before running the
trust chain wizard, you should:
To build the trust chain:
- Login to the WebSphere® console.
- Click Tivoli Federated Identity Manager -> Configure
Trust Service -> Trust Service Chains The Trust Service
Chains portlet is displayed
- Click Create. The configuration
wizard starts. The Introduction page is displayed.
- Click Next. The Chain Mapping
Identification panel is displayed.
- Enter the requested values.
- Enter a name in the Chain Mapping Name field.
- Optionally enter a description in the Description field.
- Do not select the field Create a dynamic chain
- Click Next. The Chain
Mapping Lookup panel is displayed.
- Enter the requested values.
- Set Request Type to Issue Oasis URI
The
corresponding value for Request Type URI is automatically entered by the wizard.
- Set Lookup Type to Use Traditional WS-Trust
Elements (AppliesTo, Issuer, and TokenType).
- Enter values in the AppliesTo section.
Enter values for the fields:
For help, see Planning configuration of the trust chain
- Enter values in the Issuer section.
- In the Address field, enter:
amwebrte-sts-client
- Leave the Service Name field and Port Type field blank.
- For Token Type, select Kerberos GSS V5
- Click Next.
The Chain Identification
panel is displayed.
- Do not select Initialize the chain upon startup
of runtime. Click Next.
The Chain
Assembly panel is displayed.
- Build the trust chain:
- For Module Instance, select Default IVCred Token
- For Mode, select validate.
- Click Add selected module to chain.
- For Module Instance, select the Module Instance Name you specified
in Creating a Kerberos constrained delegation module instance. For example,
Kerberos Junction
- For Mode, select issue.
- Click Add selected module to chain.
- Click Next.
The
Access Manager Credential (IVCred) Module Configuration panel is displayed.
- Do not select Enable signature validation.
Click Next.
The Kerberos Delegation Module
Configuration panel is displayed.
- If necessary, specify the Default target Service Principal
Name or change the options for adding a suffix to the Tivoli® Access Manager user name for Kerberos
Authentication.
- Click Next. The Summary panel is displayed.
- Click Finish.
- In the Current® Domain portlet, click Load configuration
changes to the Tivoli Federated Identity Manager runtime.
The trust chain configuration is now complete.